Capital One hacker who stole personal info on 100M arrested

News by Chandu Gopalakrishnan

A former AWS employee accessed Capital One data, including information on consumers and small businesses as of the time they applied for credit cards from 2005 through early 2019

In a swift move, the FBI has arrested a former software engineer for illegally accessing the data of Capital One Financial Corporation through a misconfigured web application firewall. Various data of more than 100 million people were acessed, according to the announcements by the company.

Paige A Thompson, 33, "an outside individual", posted on GitHub about the hack, which occurred between 12 March and 17 July. Another GitHub user contacted Capital One and after the financial company confirmed the intrusion and theft, it alerted the FBI on 19 July.

"Reportedly, the intrusion had happened in March but was noticed only upon notification in late July. Given Capital One’s comparatively immense capacity to invest into cybersecurity and the allegedly trivial nature of the vulnerability, such protracted detection timeline is incomprehensibly huge," said Ilia Kolochenko, founder and CEO of web security company ImmuniWeb.

"Capital One didn’t report it publicly for nearly two weeks after the breach occurred, until the FBI had arrested someone - something that the ICO has clamped down on in the UK," said Jake Moore, cyber-security specialist at ESET.

Informing the affected customers at the earliest is curicial in protecting them from any future fraud, should the data reach the dark web, he observed.

"Legal ramifications of the breach may be both exorbitant and protracted, including regulatory fines and penalties, individual and class action lawsuits by the victims," Kolochenko added.

Thompson, the perpetrator of this breach, turned out to be a former employee of Amazon Web Services, which was contracted by Capital One, reported Bloomberg. The charging complaint against Thompson cites posts on GitHub in which, using the handle "erratic," she discusses the breach, including the method used to access the data and her plans to distribute it. 

"The FBI has arrested the person responsible and that person is in custody. Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate," the company press release said.

According to the press release, the largest category of data accessed was information on consumers and small businesses as of the time they applied for credit cards from 2005 through early 2019.

"This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income," the announcement said.

Customer status data accessed include credit scores, credit limits, balances, payment history and contact information, as well as 140,000 social security numbers of their credit card users and 80,000 linked bank account numbers.

Approximately one million social insurance numbers of their Canadian credit card customers were compromised in this incident.

"Capital One is a standout in the financial institutions community by going public cloud while most of its peers hedged the risk by implementing additional security controls around their private clouds," noted Igor Baikalov, chief scientist at Securonix.

"In this instance we’re seeing the vulnerabilities of the cloud converge with the constant risks of insider threat, only in this case it was a secondary insider as the threat came from a provider. What will this do to the B2B market if we can’t trust the employees and procedures done by our partners?" asked Justin Fier, director of cyber-intelligence at Darktrace.

"When you trust your data on someone else’s servers, you inherently trust the people that company has hired as if you hired them yourself. We sign contracts for cloud and SaaS without batting an eye because of all the money we will save. But do we ever ask about the data centre administrators walking through the rows of computers hosting our data?" he further questioned.

However this incident alone should not be considered a setback for the adoption of public cloud, added Baikalov. "It should rather be viewed as another harsh reminder of the importance of third party security and insider threat programs for both providers and consumers of public cloud services," he said.

"Cloud is not going anywhere and this event in particular is not going to make everyone dust off our NAS boxes and come back to on-prem, but I think this will wake companies up to evaluating the risks associated with cloud computing," said Fier. 

Nabbing the perpetrator does not guaranteee that the information has not reached the Dark Web, he noted.

"In the new digital era, data is currency, and when it falls into the wrong hands it can spread like wildfire throughout the criminal community," Fier added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews